Synology warned its customers that few of its network-attached storage (NAS) appliances are vulnerable to cyberattacks compromising various critical Netatalk vulnerabilities. Various vulnerabilities allow remote hackers to access critical information and may execute arbitrary code through a vulnerable variant of Synology Router Manager and DiskStation Manager (DSM).
Netatalk is an Apple Filing Protocol (AFP) open-source platform that lets devices running on *NIX/*BSD work as AppleShare file servers (AFP) for Mac OS users for viewing files stored on Synology NAS devices.
The development team of Netatalk fixed the patches in version 3.1.1, issued in March, following the Pwn2Own hacking competition in 2021. The vulnerabilities were first found and exploited in the competition. The EDG team of the NCC group exploited the vulnerability rated 9.8/10 severity score and tracked as CVE-2022-23121 to deploy remote code execution without verification on a Western Digital PR4100 NAS that runs on My Cloud OS firmware during the Pwn2Own competition. Synology mentioned three vulnerabilities in the latest warning- CVE-2022-23125, CVE-2022-23122, CVE-2022-0194, all three having high severity ratings.
They are also letting malicious hackers deploy arbitrary codes on unfixed devices. The Netatalk development team released the security patches to resolve the issues in April, even then according to Synology, the releases for some affected devices are still in process. The NAS maker hasn't given any fixed timeline for future updates, according to Synology, it usually releases security patches for any impacted software within 90 days of publishing advisories. "
QNAP said the Netatalk vulnerabilities impact multiple QTS and QuTS hero operating system versions and QuTScloud, the company's cloud-optimized NAS operating system.
Like Synology, QNAP has already released patches for one of the affected OS versions, with fixes already available for appliances running QTS 4.5.4.2012 build 20220419 and later," reports Bleeping Computers.
